A bug existing in Netscape Navigator (or possibly in Windows 95) makes it possible to send an email that will crash another computer when the message is read.

A condition, having security implications, was discovered by the Department of Energy ( DOE) Information Security Recourse Center (ISRC) in the Windows 95 version of Netscape Navigator 3.0. ISRC staff determined that it is very easy to send an email message that causes the mail reader in Netscape Navigator to crash. Additionally, in some instances, the entire computer will occasionally lockup, requiring computer shut down in order to restore computer operation. This condition could possibly result in the loss of unsaved work. Also, it is difficult for the person receiving this email to delete it from the Navigator Inbox without again causing a crash. These malicious email messages have been nicknamed "Email Letter Bombs."

Below is a scenario to show the "Email Letter Bomb" problem:

1.The sender creates a HTML file named BOOM.HTM ( or any other filename.HTM ) on their hard disk using any word processor and saving the file in ASCII format. The text in the file consists of HTML tags, which are used to produce web pages.

NOTE: The code that enables this attack is available from the ISRC upon request but only with the authorization of NN512.3.

2.The sender starts Netscape Navigator from Windows 95 and goes into the Netscape Mail program.

3.The sender composes an Email message that contains BOOM.HTM as an attachment.

4.The final email message is sent to the intended victim(s).

5.When the recipient opens the email message with the Netscape Mail program, Navigator will lock up. The lock up occurs when the mail program attempts to display the BOOM.HTM attachment. Netscape's Mail program automatically shows email attachments by default.

6.A person who is computer literate can end the non-responding Netscape Navigator by pressing CTRL-ALT-DEL in Windows 95 and then selecting "End Task" on Navigator. A person who is less proficient with Windows 95 will, in all likelihood, have to turn off and on their computer losing any work-in-progress.

The problem stems from Netscape's attempt to read a GIF file from serial ports COM1 through COM4. Since no data is coming in on these ports, Netscape will never find the GIF file, but will try forever to load it.

The validation process consisted of the ISRC creating the "Email Letter Bomb" attachment and sending an email message, with the bomb attached, to a test platform. The bomb locked Netscape and forced a CTRL-ALT-DEL to stop Netscape from the continuous loading process. An attempt to delete the message caused a lockup as well. This attack does not seem to affect Macintosh platforms.

The potential of this attack may not only result in lost data and downtime, but could result in confusion and paranoia. The person on the receiving end of email may be afraid to open what otherwise may be a legitimate attachment.

A solution to the problem is to open the "View" menu in Netscape Mail and select "Attachments as Links." Doing this stops Netscape from automatically opening an attachment and instead creates a hyperlink to the attachment. Clicking on the hyperlink will lock Netscape, but opening the email message will not. With this fix it is now possible to delete the message without effecting Netscape.

That this information be coordinated with the CIAC, and that an assessment be conducted to determine the extent of the threat posed to the DOE Information Assurance Infrastructure.

Security and Privacy Notice
To contact send email to ISRC
Last Updated October 2001